Whitepaper Plant Network Security How to defend your Plant against the threats of 2014? Yokogawa Europe B.V. Euroweg 2 3825 HD Amersfoort, The Netherlands July 2014
Table of Content 1. Introduction... 3 2. Background... 4 2.1 Malware targeting the industry... 4 2.2 The Human Factor... 5 2.3 Security policies and standards... 5 3. Security solutions... 6 3.1 Network Security Design & Zones... 6 3.2 Firewall, first line of defense... 8 3.3 Anti-Virus: protection against Malware... 8 3.4 Security Patch updates... 9 3.5 Disaster recovery & Backups... 10 3.5.1 Backup possibilities... 10 3.5.2 Backup and Restore recommendations... 10 3.6 System Hardening... 11 3.6.1 Closing all entrances... 11 3.6.2 Active Directory, preventing Human errors... 11 3.6.3 Restricted USB usage... 12 4. Wireless in the process control domain... 13 4.1 Wi-Fi... 13 4.2 ISA100 protocol for wireless... 13 5. The Future... 14 6. Recommendations... 15 1 P a g e
Executive Summary Over the last decade, technology in industrial process control systems has changed significantly by utilizing Information Technology (IT). Although using IT has largely benefitted the industry, it also brought new challenges to the process control systems such as network security. The increasing number and reach of cyber threats in process control systems cannot be ignored. In the past, (cyber) security threats were mainly intended attacks from the outside. Nowadays, the majority of security incidents, reported from process control, are unintended incidents, such as malware infections, often caused by internal sources, like employees. Besides internal threats, external threats play an important role too of course. When a hacker - someone who attempts to gain unauthorized access to proprietary computer systems - decides to attack a process control network, the caused damage can vary from theft of confidential information to a complete shutdown of systems. The biggest and most urgent question most plant owners are concerned about regarding cyber-security is therefore: how to protect their network from these hackers and malware infections? This whitepaper describes the current trends in security threats for the process control industry. It is intended to provide insight in how process control systems can be secured and defended in a changing technology landscape. Yokogawa's first step into commercial available hardware and software was the introduction of CENTUM CS3000. This was the first time that commercially available PC's running the Windows Operating System were introduced as part of the DCS. In 2005, the next step was made with the introduction of Vnet/IP, which replaced token bus based Vnet by Ethernet networking equipment. These major changes did not only happen at Yokogawa, but also at other suppliers. All suppliers have to adapt to these frequent developments and changes in the IT world. 2 P a g e
1. Introduction Changing technologies Over the last decade, technologies used in process control networks have changed significantly. In early days, human interface equipment provided by an industrial automation supplier was based on proprietary hardware, software and operating systems. Communication between network elements was also based on proprietary, or at least not widely commercially used, protocols. However, industrial process control system suppliers have been forced to introduce lowcost and open solutions due to the market demand. At the same time, the usage of the Internet in the public sector has exploded, which automatically has led to an increasing number of security threats. The hacker's community evolved with this changing market. In an earlier stage, their aim was somewhat innocent by infecting as many computers as possible, mainly to become famous within the hacker s community. Although this is still important, a new type of hacking has become even more threatening. These new hackers are not just interested in their reputation, but even more in money (i.e. theft of credit card numbers) or causing damage to targeted industries (i.e. environment activists). The main motivations for connecting office network are listed as follows: To retrieve data for Manufacturing Execution Systems such as: Production Planning; Production Scheduling; Reporting and Accounting. Remote access from the office network or from other locations via Internet; Retrieve anti-virus and patch updates from the office network or Internet. Data Historians Because in the past the industrial automation systems were not connected to the Internet, these new cyber threats did not affect the world of industrial automation. Obviously this has changed. Two formerly different and enclosed "worlds" are coming together. We have now reached a point that network security can no longer be ignored within the industrial automation landscape. 3 P a g e
2. Background 2.1 Malware targeting the industry In July 2010, a new threat related to process control systems was discovered. This new threat is referred to as Stuxnet, which is a sophisticated malware, targeting Siemens PLC systems. Before the appearance of Stuxnet, process control systems had not been recognized as a potential target for malware developers. However, the appearance of this new generation malware shattered such an optimistic view. After Stuxnet, many other process control malware emerged. Within the same year, DUQU, a reconnaissance virus, emerged. One year later the most sophisticated espionage tool, Flame, was discovered. And in 2013 the cyber espionage malware program Red October was discovered. Statistics from the industry in general, as well as from Yokogawa show that the number of security incidents has grown with the increasing number of threats. These statistics are compiled from threats in all markets. Although not all threats are applicable to process control systems, the increase of threats can also be projected on process control systems. Spending money on security is similar to spending money on a health insurance. If you don t have insurance, only one incident will cost you an amount of money that will exceed the costs of insurance for the entire lifecycle of your plant. 4 P a g e
2.2 The Human Factor Beside security threats due to changes in technology, there are also cybersecurity threats that have been around all along: unintended (human errors) actions causing security incidents; in- and outsiders with malicious intent. One way to mitigate the risks associated with cyber threats and the human factor is by implementing physical security in the form of locked cabinets or rooms with key card authentication. If personnel have no access to areas where they might cause serious security incidents, either intended or unintended, risk factors will be minimized. Another important point to consider is to give your personnel security awareness training. 2.3 Security policies and standards Because of the increasing security threats, a number of organizations in the industry have initiated procedures and standards to reduce the risks. Some of these organizations focus on setting policies for information communication technology (ICT) security in general. Others, with specific interest into the process control industry, have developed a special process control security policy. Both the ISA and IEC are good examples of organizations that have developed security policies. Yokogawa has supported these organizations from the beginning and contributed to the development. Process Control Security Although the security technologies, which are implemented in process control systems, are the same as for ordinary and more general IT systems, the priorities of a general IT network differ from those in process control. Fig. 1 (ANSI/ISA-99) shows these different priorities, as composed by the International Society of Automation (ISA). Eugene Howard Spafford, a leading computer security expert, once said: "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts." Figure 1 ANSI/ISA 99 5 P a g e
3. Security solutions Even if we were able to achieve an appropriate security level by introducing security measures into plant control systems, the security level will decrease every day, because new malware is being created on a daily basis. Security is a dynamic & never-ending process and must therefore be seen as part of what Yokogawa refers to as the Security Lifecycle. The next section describes solutions to mitigate the risks of cyber-security incidents. Depending on local situations, the following security solutions can be considered: Network Security Design; Firewall; Anti-Virus; Security Patch Updates; Disaster Recovery & backups; Recovery & Backup System Hardening 3.1 Network Security Design & Zones In case a plant control system consists of a few computers, the network operators can manage them rather easily. However, even if the number of computers is not so large, dividing a network into several zones is still important. In case of a cyber-security incident, the incident can be isolated into a specific zone. Proper network architecture therefore enables network operators to manage the network safely. Figure 3 (next page) shows an example of typical network architecture. This suitable network architecture should be a crucial basis for all security measures. To introduce security measures, the following steps are recommended by Yokogawa 1. Determine which kind of asset should be protected. 2. Develop a security policy to protect their asset, based on the type of asset. 3. Introduce security measures based on the security policy. 4. Periodically assess their measures Yokogawa can provide further advice on these matters. 6 P a g e
Figure 3: example of typical network architecture The classification of a network is the basis of security control. The network is classified from level 0 to level 4 according to the network security and functionality. Level 4: The office domain, which is usually out of the Yokogawa scope. Level 3.5: This is not an official zone, but a Yokogawa definition. This DMZ (demilitarized zone) makes it possible to get secured data to and from the Process Control domain and manages all the data traffic coming from Level 4 to check system layers (Level 3 and lower layers). Level 3: Site Manufacturing Operations Control Level 3 includes the functions involved in managing work-flows to produce the desired end products. It consolidates raw data/information from level 2 PCN, processes them before the data and information will be utilized by level 4 network like ERP system. Therefore, it contributes as vertical integration functionality between Level 4 corporate network and Level 2 PCN. Level 2: Area Supervisory Control Level 2 includes the functions involved in monitoring and controlling the physical process. For example the HMI stations are located here. Level 1: Local or Basic Control Level 1 includes the functions involved in sensing and manipulating the physical process. Level 1 includes continuous control, sequence control, batch control, and discrete control. Also included in Level 1 are safety and protection systems that monitor the process and automatically return the process to a safe state if it exceeds safe limits. Level 0: Process Control Level 0 is the actual physical process. It includes the sensors and actuators directly connected to the process and process equipment. 7 P a g e
3.2 Firewall, first line of defense The firewall is the first line of defense for intrusion from other networks. If a process control network is connected to any other network, it is considered mandatory to install a firewall between these two networks. With a firewall, all traffic between two, or even more, networks can be regulated. A firewall will block all traffic between the networks, but by adding rules, specific traffic can be allowed. The firewall does not only reduce the risk that unauthorized people can get access to the network, but also minimizes the risk that problems in one network segment traverse to the another network segment or zone. Office Domain DMZ Process Control Domain Figure 4 In addition to a firewall, an extra layer of security can be created with a so called, Demilitarized Zone (DMZ > fig. 4). It can be used to segregate process control networks from office networks. Once a DMZ is created, there is no longer a direct connection between hosts in the office network and process control. This can be seen in Figure 4, in which the red arrow shows a direct connection and the green arrows show the data flow via DMZ. 3.3 Anti-Virus: protection against Malware The most dominant threats these days are viruses, worms, and Trojan horses. These security threats increased dramatically over the last years. Figure 5 gives an overview of the number of viruses over the last years reported by McAfee. Not only is the number of malwares is continuously increasing. At the same time the vulnerabilities of plant control systems to get infected by malwares is increasing as well. 8 P a g e
Most computers offer network security features to limit outside access to the computer system. Software such as antivirus programs and spyware blockers prevent malicious software from running on the machine. 3.4 Security Patch updates It is recognized that operation systems on computers, such as Microsoft Windows, are vulnerable for outside attacks. Microsoft regularly releases patches to fix these vulnerabilities. It is important that these critical patches are applied regularly, especially when connections between process control systems and other networks are open. It is important to mention that Figure 5 Increasing number of malware Anti-virus software alone does not reduce the need for patches. For example, vulnerabilities in Microsoft can be used to switch off the virus scanner externally. At the same time, not all patches apply to process control systems. Vendors like Yokogawa publish the relevant and critical patches online. Fig. 6 shows the number of reported vulnerabilities for the Microsoft and the non-microsoft operating system. This is a picture from the Microsoft annual Security Intelligence report. It shows that Microsoft is doing a relatively good job, but that there are still a number of these reported vulnerabilities that might be a backdoor for illegal intrusion into networks. Figure 6 Reported vulnerabilities Windows (source: Microsoft) 9 P a g e
3.5 Disaster recovery & Backups What if a malicious incident occurs at your plants network? Without proper backups, a recovery becomes quite difficult. It could take operators several days to recover from an incident depending on the system complexity: reinstalling the OS, applications, patches, system updates, and other system requirements will take time and resources. Furthermore, even when the system can be recovered, there is no guarantee that the environment will be exactly the same as before the incident. 3.5.1 Backup possibilities Luckily, there are two different backup restore solutions that differ in the recovery time. An Image Backup: an image backup is an exact copy or backup of your entire hard disk and/or or disk partitions this means that it contains all files, including all installed software. If a hard disk crashes and needs to be replaced, the image backup can be used to recover the PC. It is much faster than reloading the system from the original software which takes much time because of all re-installing of software. It may result in serious production slowdown. A Data Backup: a data backup means that copies of individual or multiple data will be made so that these can restored after a data loss event. This can be useful when small numbers of files have accidentally been deleted or corrupted. All changes made over time (maybe years) will be lost if the database gets corrupted or lost. Therefore, a data backup would be very valuable. 3.5.2 Backup and Restore recommendations Even though image backups may not be seen as an essential recovery method - in fact: you can recover without them - it is still strongly recommended to implement image backups as a standard procedure. For example: if an important computer fails, the restoration time should as short as possible. Otherwise you ll lose money due to production slowdown. In order to realize a quick restoration, image backups are the fastest solution. As already mentioned, from a technical point of view it may seem less critical to save time when performing a backup. Though especially for large networks, significant time spent by operators to backup and re-install may lead to unnecessary operational expenses. This time can be reduced significantly when backups are automated by a backup manager. It is recommended for large systems (i.e. more than 10 computers) to install automatically managed backup software. A 100% secured network is utopia. Just think about the dilemma that security and workability may not be in symphony. Trade-offs may have to be made between security and workability, and nobody can guarantee that process control systems will never get infected with a malware. Moreover, even if we establish secure systems and networks, this would not avert cyber-security troubles. Therefore the owners need to prepare with what Yokogawa refers to as an Incident Response Plan. 10 P a g e
3.6 System Hardening Many computers offer network security features to limit outside access to the network system. Yet, even with all previously argued security measures (like anti-virus) in place, computers are often still vulnerable to outside access. System hardening, also called: Operating System hardening, helps further minimize these security vulnerabilities. System Hardening means to protect and close all normal entrances in the system, for example: if an application is installed on your computer, it might accept a request from outside of the PC. System Hardening prevents these backdoor entrances. The purpose of system hardening is to eliminate as many security risks as possible. This is typically done by removing all non-essential software programs and utilities from the computer. While these programs may offer useful features to the user, if they provide "back-door" access to the system, they must be removed during system hardening. Hardening is also used to protect the PC from being used as a regular computer. For example, if a machine such as HMI is installed, system hardening will close all possibilities of accessing the normal Microsoft desktop. 3.6.1 Closing all entrances The introduction of anti-virus and patch updates is the first step to establishing a secure system. However, only implementing these measures is not enough for a secure system. Additionally, hardening of network devices such as Bluetooth, Wi-Fi, etc. is also highly recommended. Even if network traffic is regulated, network devices sometimes remain vulnerable for attacks. If an attacker can access devices physically, he or she can connect an ether-cable to an unused port, and attack all process control systems. 3.6.2 Active Directory, preventing Human errors Plant control systems can be protected against unintended attacks such as human errors, by hardening the system programs that are not required for process control. The programs that are not required will be disabled in case of an incident. This will not only protect the systems against intended disruptions, but also makes it impossible for an operator to start a program that may cause unintended system malfunctions. Network Management System: securing a sustainable operation To keep sustainable operation, it is definitely effective to introduce a Network Management System (NMS). With NMS, network operators can easily understand a network situation including the network devices. NMS has various types of functions to monitor soundness of networks. After configuring NMS properly, the NMS will generate alerts if something happens. E.g. when the volume of traffic is too high, a RAID system clash on PCs will happen. Introduction of NMS will support network operators to avoid serious incidents. 11 P a g e
The most effective way to accomplish the system hardening is with the use of Microsoft active directory. With this, the management of all computers in the network can be maintained from one single computer. Additionally, active directory has the possibility to manage users and groups by checking permissions and passwords for all computers in the network. This will improve operational efficiency. Even if there only a few PCs are used in the system, it is recommended to introduce active directory to avoid operational mistakes. 3.6.3 Restricted USB usage Nowadays, the work of maintenance engineers is very hard without the use of USB sticks. However, USB sticks are one of the main sources of malware infections. Because of workability issues for engineers, USB devices cannot be completely abolished. To mitigate the risk, however, it is highly recommended to limit the use of USB devices. The use of USB devices can be restricted in various ways. One of these options is to have an active directory, as mentioned in 3.6.2. Yokogawa Security Competency Laboratories Yokogawa s Security Competence Laboratories all over the world play a key role in the company s overall cyber-security activities. Collectively, these laboratories serve as a dedicated center-ofexcellence in which Yokogawa system and cyber-security specialists can collaborate to link current security technologies to the company s systems to help protect the company s customers from constantly evolving and increasingly sophisticated cybersecurity threats. Yokogawa Security Competency Laboratory 12 P a g e
4. Wireless in the process control domain The need for introducing wireless system in the process industry is increasing, mainly to reduce costs and improve effective communications. The introduction of wireless system, however, raises new issues for the industry: - Real-time operational excellence - Environment resistance - Protection against explosion - Radio wave interference - Security (e.g. eavesdropping, falsification, spoofing) In the case of wireless systems, a potential attacker does not need to access a device physically. Physical security measures are therefore inadequate. It is necessary to introduce other security measures as well, such as an encryption system. 4.1 Wi-Fi In the process control landscape Yokogawa does distinguish two types of wireless: Wi-Fi and ISA100.11a. "Wi-Fi" is a trademark of the Wi-Fi Alliance and the brand name for products using the IEEE 802.11 family of standards, which is different to ISA100.11a. This Wi-Fi has been gradually introduced. However, Wi-Fi has also security issues; listed measures are therefore highly recommended: 1. Setting up SSID and hiding the SSID 2. Filtering with MAC address 3. Connect the WIFI network only through the previous described firewall 4. Using encryption (only wpa2) Introducing only the first two measures will be inadequate to protect plant control systems, so it would be better to also introduce a firewall and encryption system. 4.2 ISA100 protocol for wireless ISA100 is an open wireless networking technology standard developed by the International Society of Automation (ISA). The ISA100 protocol ensures a safe and secured wireless communication, so that no hack can get access to the system. The ISA100 protocol is issued in September 2009 and targets field instruments. This technology brings plant control system owners many advantages such as cost reduction, and better maintenance. 13 P a g e
5. The Future When reflecting over security, most people would like to anticipate how an attacker will attack. Anno 2014 certain threats are developing within the IT world which might become applicable to the process control world as well. For example: there is a large growth in Ransom-ware - a kind of malware that will encrypt your hard-disk and ask the victim for money (a ransom) for the key to decrypt. See the figure below from McAfee. Source: McAfee Furthermore, nowadays everybody has a smartphone, and this is likely to increase even further in the future. Of course this has consequences for the way we now protect our assets. Think about it: what happens when an employee s phone battery needs to be recharged during a nightshift and the only device available for him is a Distributed Control System (DCS). Some employees might charge their phones on a free USB port, introducing the risk of a virus entering the DCS, or even worse: creating a backdoor entry directly into the plant by the 3G network. It is obvious that companies must be aware of these developing network security risks and how it can affects their plant network security. For the future it is important to realize that a plant or factory does not only need protection against evil outsiders or hackers, as discussed in this document internal (employees) use of all kinds of (online) electronic devices are risky too. Finally you don t need to be Einstein to see that smart-viruses and malware will only get smarter. In case of network security the industry may always be one step behind, but the only way to deal with this is to stay vigilant. 14 P a g e
6. Recommendations Each organization should consider investing in proper security measures. With the existence of many security threats, implementing a solid security solution clearly brings long term security (and production) advantages, although they might be seen as an unwelcome and even unnecessary source of expenses. Key solutions are to implement things like Anti-virus, patch management, a firewall, or hardening your system. For medium/larger systems implementing a Network Management System is essential to monitor your network. If you are not confident about your plant or factory security approach, or if you need help convincing your management about security investments, Yokogawa security consultants can help you by conducting a Security Assessment. The outcome is a clear report which will list your vulnerabilities and will indicate the measures that you can take to mitigate these vulnerabilities. Helpful Resources About Yokogawa Security Assesment ((by Yokogawa) Brochure Cyber Security for Industrial Control Systems (by Yokogawa) Video: Security: YOKOGAWA IA System Security Solutions (YouTube) Read more: www.yokogawa.com Yokogawa Electric Corporation is a Japanese electrical engineering and software company, with businesses based on its measurement, control, and information technologies. Contact us For more information please visit www.yokogawa.com/eu to find contact information for Yokogawa in your area. For Europe please send an e-mail to PNSD@nl.yokogawa.com a Yokogawa security expert will get in contact with you. You can also use the digital contact page to get in contact with a Yokogawa Security Expert. 15 P a g e Every high-technology product from Yokogawa has to fulfill three basic criteria: Quality, Innovation, Foresight. We are one of the world leaders in industrial automation and control, test and measurement, information systems and industrial services. Besides being high quality, innovative and advanced, our products are also safe and durable. In other words, we supply smart technology, made by smart professionals. Many of our customers are major and global names in oil and gas upstream and midstream, refining and petrochemical, power and energy industries.